Five Things to Consider with Photos and GDPR Compliance
The General Data Protection Regulation (GDPR) is an EU data privacy law that regulates how organizations use customer’s personal data. It came into effect on the 25th of May 2018. Prior to the GDPR, it was the user’s responsibility to protect their online personal privacy.
The GDPR puts the responsibility onto the company. Privacy must be offered to the user by default and built into the technology. This is referred to as ‘data protection by design.’ The penalty for non-GDPR compliance is high, with fines up to 4% of the company’s global revenue or €20 million.
What implications does this have for US corporations?
If US corporations collect data on, monitor, or track the behavior of EU based citizens and residents, they are subject to the GDPR regulations. Personal data covered by the GDPR include names, contact information, IP addresses, location data, photographs, and videos.
Can GDPR apply to U.S. citizens?
Yes, GDPR does apply to US citizens if they are located in the EU at the time that the data is processed. The GDPR uses the term ‘data subject,’ which, according to most interpretations, applies to where the data subject is when their data is processed, not their citizenship or nationality.
How does this affect the use of images, video, and photography?
Whether you are a photographer or a business that features images on your website, you need to be considering GDPR. A photograph in which people can be identified is considered to contain personal data under GDPR. This could apply to pictures of employees or images/videos taken in public places or at events.
Familiarize yourself with GDPR language
The GDPR is relatively extensive, and ensuring compliance can be difficult. There are also always grey areas in relation to the interpretation of the law. For this reason, it’s advisable to seek legal advice to ensure compliance. In the meantime, it could be useful to familiarise yourself with the lawful bases for processing data.
These are outlined in Article 6 of the GDPR:
“Processing shall be lawful only if and to the extent that at least one of the following applies:
Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Consent under GDPR and employee photographs
The GDPR is complex and can be confusing regarding the interpretation of the various lawful bases. Hence the need for professional legal advice.
For example, when obtaining employee consent, this needs to meet the GDPR standard of being "freely given, specific and informed." Therefore, if an employee feels pressured into giving consent, that would not be considered compliant.
Conclusion
U.S. companies and organizations need to be aware of GDPR and its implications. Depending on the nature of your business, it may or may not be applicable. In the case that it is applicable, it’s essential to comply with the GDPR or risk falling foul of the E.U. regulatory commission.
This article is for informational purposes only and should not be construed as legal advise. Please consult with an attorney for legal guidance.
Don’t miss an update! Have every Vistasuite blog post delivered directly to your inbox.
Vistasuite puts real-time visual communication in your pocket. It's a single hub where internal and external photo sharing joins forces and project management lives in one place, so you can finally collaborate with the right people, at the right time. Learn more.